As many as 40 million Target customers hacked over the holidays when thieves got into their credit and debit card. If you shopped at Target between November 27 and December 15 while thieves were hacking data, you’re unlikely to lose a dime. Federal law and industry practices protect virtually all customers from any liability for fraudulent charges. So many breaches occur in the first place. Credit and debit card fraud has nearly quadrupled in the past decade, hitting $11.3 billion in losses worldwide last year. That hurts profits and raises the cost of goods. The U.S. accounts for more than its share of fraud, and hardly a month goes by when there isn’t a breach from some large U.S. retailer, in part because the U.S. lags other countries in card security.
After the Target breach, the stolen account information flooded underground markets that operate on the Internet, selling batches of data that allow thieves to counterfeit cards and shop till they drop. The best thing that could happen is if this latest megabreach forced the industry and Congress to fix some of the system’s most troubling vulnerabilities.
Cyberthieves are growing more sophisticated, and nothing can prevent every data breach. But when a company as big as Target can be hacked for 19 days to the tune of 40 million records, consumers deserve more modern and tougher protections.
Some ideas for curbing cybercrime:
Put stronger protections on debit cards. Credit cards carry the gold standard in protection against having to pay for fraudulent charges. Federal law limits losses to $50, and most issuers take that down to zero. After a data breach, debit cards are similarly protected. But if your debit card is lost or stolen, by law you could lose up to $500, and reimbursement may depend on how quickly you report the loss. There’s no sound reason for the gap. It should be eliminated.
Set federal standards to protect data. The industry, led by Visa and MasterCard, has always provided its own security standards to keep data safe. Obviously, they’re not working. Federal standards could help, especially if backed by sanctions for flouting them. The Federal Trade Commission has some authority, but the law is nearly 100 years old, and some companies have challenged the agency in court. Since the Target breach, several senators are calling for more federal authority.
Get with the 21st century. The U.S. is far behind Europe, which almost a decade ago replaced the magnetic strip on cards with a digital chip that prevents thieves from counterfeiting cards with stolen data. That’s one reason the U.S. has become a mecca for hackers. The U.S. industry is migrating to these “EMV” cards, but it has moved slowly. The players fight among themselves over everything from who pays to the type of security. Requiring cardholders to use PIN numbers would provide the best security. Whatever the decision, the industry needs to get moving to meet a self-imposed 2015 deadline.